Google Calendar embedding API allows injection of arbitrary content.

Background

Google Calendar offers an embedding API, allowing calendars to be embedded in web pages. This API is accessible at the following URL:

https://www.google.com/calendar/embed?src=<url>

Details

In case of an invalid URL, it mirrors back the text of the URL. For example, the following URL:

https://www.google.com/calendar/embed?src=<url>

would show the following message:

Invalid calendar id: <url>

While we have not been able to show script execution, we believe that this can still be used as a vector of attack, especially since this injects content into a page that is SSL secured with a Google certificate. Interestingly, a similar content injection attack was considered to be severe enough by Microsoft to be fixed (as per our earlier blog post).

We would like to present the following attack scenarios:

Scenario #1 — Phishing attack

An attacker can use this to send email to Google Calendar users with the following URL:

https://www.google.com/calendar/embed?src=-We%20are%20having%20a%20problem%20with%20your%20account.%20Please%20call%201-800-BAD-GUYS%20x123%20and%20give%20them%20your%20password

Resulting in the following message:

Invalid calendar id: -We are having a problem with your account. Please call 1–800-BAD-GUYS x123 and give them your password

A sophisticated attack can issue a unique extension for each spammed address, bypassing the requirement for users to provide their email address over the phone. It would also be possible to automate such attack with voice API providers like Twilio, further making users feel at ease, since most phone phishing attempts use humans.

Scenario #2 — Stock manipulation attack

An attacker can use the following URL to show a fake Google Calendar in attempt to manipulate the stock market:

https://www.google.com/calendar/embed?src=-BEGIN%3AVEVENT%0ASUMMARY%3A%20%0AUID%3A12345%0ADESCRIPTION%3BSergey%20Brin%2FElon%20Musk%20to%20announce%20%24GOOG%20acquisition%20of%20%24TSLA%0ALOCATION%3AMountainview%2C%20CA%0ADTSTART%3BTZID%3D%2FUS%2FEastern%3A20151109T100000%0ADTEND%3BTZID%3D%2FUS%2FEastern%3A20151109T113000%0AURL%3Ahttp%3A%2F%2Fintranet.google.com%2Fcalendar%2Fsergerybrin%2Feventid%3D12345%0AEND%3AVEVENT

This would result in the following message:

Invalid calendar id: -BEGIN:VEVENT SUMMARY: UID:12345 DESCRIPTION;Sergey Brin/Elon Musk to announce $GOOG acquisition of $TSLA LOCATION:Mountainview, CA DTSTART;TZID=/US/Eastern:20151109T100000 DTEND;TZID=/US/Eastern:20151109T113000 URL:http://intranet.google.com/calendar/sergerybrin/eventid=12345 END:VEVENT

Seemingly this would indicate a fake calendar event announcing the acquisition of Tesla Motors by Google. HOWEVER, given that the embed API can be used to embed any calendar, it would be trivial to create a real Google calendar with fake info and embed it.

Screenshot

(Please note the SSL icon)

Vendor Response

Vendor response is as follows:

There is no XSS demonstrated here, just content injection, which has legitimate use and is not a technical security bug for the purposes of our reporting program (phishing generally isn’t a “technical” enough attack scenario). All inputs appear to be properly sanitized, so if you want to demonstrate an actual XSS, you’d need to show proof of script execution

References

Google Security CID: 6–1050000008145
Google Calendar Embed docs: https://support.google.com/calendar/answer/41207?hl=en

Timeline

2015–08–07: Vendor notified
2015–08–07: Vendor response
2015–10–26: Public disclosure

Version Information

Version 1
Last updated on 2015–09–21